Browse by Tags

Tagged Content List
  • Blog Post: This Blog URL Has Changed – Please Update Your Readers

    Things have been quite on the blog for while. There is a LOT of code being cranked out at the moment as we work towards some deadlines in the summer on various projects. Our team name has also changed from the Connected Information Security Group (CISG) to the Microsoft IT Information Security Tools...
  • Blog Post: Getting Help for CAT.NET and Anti-XSS

    We now have a discussion forum for users of CAT.NET. There is no official support for these tools but you can ask questions and we will try to help wherever we can! CAT.NET - http://social.msdn.microsoft.com/Forums/en-US/catnet/threads/ Anti-XSS - http://www.codeplex.com/AntiXSS/Thread/List.aspx
  • Blog Post: MSDN Webcast: Software Security with Static Code Analysis Using CAT.NET (Level 200)

    Event Overview In this webcast, we provide an overview of what static code analysis is and typical coding errors that static analysis can and cannot detect. We also look at the recently released CAT.NET tool and how it helps with the detection of security flaws. Presenter: Andreas Fuchsberger, Senior...
  • Blog Post: AntiXSS Library V3.0 - Test Harness

    Hi, Anil Chintala here… In this post I wanted to talk about the new Test Harness application which was released as part of the AntiXSS V3.0 Beta and is available as a free download on MSDN with source code available for download on CodePlex . Test Harness application is created to help the users...
  • Blog Post: Current Memory Limitations of CAT.NET

    Hi, Andreas Fuchsberger here..... It is important to understand what happens CAT.NET builds its Call Flow Super Graphs. We use a CCI object called CciControlGraph to build a Control Flow Graph for each method and each method call we find in the Common Intermediate Language (CIL) of the modules being...
  • Blog Post: Free MSDN Webcast: Managing Cross-Site Scripting Using CAT.NET and AntiXSS (Level 200)

    Language(s): English. Product(s): Security. Audience(s): Developer. Duration: 60 Minutes Start Date: Friday, January 09, 2009 12:00 PM Pacific Time (US & Canada) Register Here
  • Blog Post: Merlin: Better Specifications for CAT.NET

    Guest post by Ben Livshits of Microsoft Research here.... In the last several years we have seen a proliferation of static (and sometimes runtime) analysis tools for finding web application vulnerabilities. Companies such as Fortify, Ouncelabs, Klockwork, and others have been selling tools for finding...
  • Blog Post: Security Code Review Using CAT.NET - Part 2

    Hi Andreas Fuchsberger here again...... How does CAT.NET work? As I mentioned in Part 1 here , CAT.NET is an information-flow type static analysis tool using an implementation of tainted-variable analysis. Tainted-variable analysis is an integrity problem in which that tries to identify whether less...
  • Blog Post: Security Code Review Using CAT.NET - Part 1

    Hi Andreas Fuchsberger here … To coincide with the CTP release of CAT.NET and Anti-XSS , within the CSIG we have been taking a long hard look at static analysis tools for developers and Information Security professionals. Over the next series of blog posts I will explain the fundamentals of the...
  • Blog Post: CAT.NET CTP Links Are Live Again!

    Download CAT.NET CTP ( 32 bit here and 64 bit here ) Anti-XSS was not affected but for completeness Download Anti-XSS 3.0 Beta ( here and source code here ) Our sincere apologies.
  • Blog Post: Secure String in .Net - Part II

    Hi Gaurav Sharma here with more information about SecureStrings. This time I'll cover following topics: SecureString internals Performance Let us start with our first topic, SECURE STRING INTERNALS BASICS Class Name: SecureString Assembly: mscorlib.dll Latest Version: 2.0.0.0 Namespace: System.Security...
  • Blog Post: How the Anti-XSS 3.0 SRE Works

    RV again... Last time around we looked at SRE from a conceptual perspective , this time lets look at from a code perspective. Lets trace the program flow and understand in depth what SRE code does. SRE is a HttpModule, the main class file is AntiXssModule.cs which inherits from IHttpModule. In the Init...
  • Blog Post: A Sneak Peak at the Security Runtime Engine

    RV here again... Traditionally security fixes are applied to specific pieces of code where a vulnerability exists which usually involves some development and testing effort. Imagine a system where an application is instantly secured by simple configuration. I am specifically talking about ASP.NET applications...
  • Blog Post: ASP.NET Data Binding and AntiXss Encoding

    Hi RV here again... Last time I looked at ASP.NET controls and few common scenarios where you need to use encoding. Couple of weeks back we looked at a sample data binding scenario. This time lets exclusively look at various ASP.NET data binding techniques and how to use AntiXss to encode the output...
  • Blog Post: Obfuscation Explained...

    Hi Vineet Batta here.... Background Programs written for .NET are relatively easy to reverse engineer. You can use free tools like Lutz Roeder's .NET Reflector to load .NET assemblies and view all the code (IL) contained within them. This is not in any way a fault in the design of .NET; it is simply...
  • Blog Post: Which ASP.NET Controls Need HTML Encoding?

    RV here... Last time we saw some some real world XSS examples. This time we will look at which common ASP.NET controls require encoding. Some controls in ASP.NET automatically encode certain properties when rendered, not all the controls do the same. We looked at ASP.NET controls during AntiXss development...
  • Blog Post: Trip Report : Day Three of Gartner BPM Conference

    Marius here again..... Highlights: On average, 80% of the IT budget goes toward maintenance and only 20% goes to new projects. On top of that, IT budgets keep shrinking year after year. This creates a big challenge in funding large initiatives like BPM. IT projects for cost reduction have been successful...
  • Blog Post: There's a LOT More to Building Security Software than Software Security

    Mark Curphey here..... I often get asked exactly what I do for a living at Microsoft. Many people associate my name with OWASP , my personal blog and software security in general. When I say I am a PUM (Product Unit Manager)  and run a team that builds security tools most people understandably assume...
  • Blog Post: How Do you Get from Theoretical Physics to Information Security?

    Hi Andreas Fuchsberger here.....and no this is not a new Seinfield commercial! The much anticipated and televised switch-on of the Large Hadron Collider (LHC) at CERN made me realise again how little we know about life and how much there is still for humanity to explore. It also led me to make a connection...
  • Blog Post: Trip Report : Day Two of Gartner BPM Conference

    Hi Marius here again with highlights from day 2 of the Gartner BPM conference. Back of the Napkin You may have heard of the book called The Back of the Napkin : Solving Problems and Selling Ideas with Pictures. It’s one of the latest books creating a buzz in business community. Dan Roam, the author...
  • Blog Post: Trip Report : Day One of Gartner BPM Conference

    Marius Grigoriu here.... I am a Program manager with CISG and in keeping with good program management its straight down to business. Today was the first official day of the Gartner BPM Conference at Washington DC and I am posting daily trip reports. In the Connected Information Security Group we believe...
  • Blog Post: It’s All About the Persona(s)

    Birm here… Has this ever happened to you? It’s happened to me. You sit down to write an application that looks great and works even better. The UI you’ve designed is a model of esthetics and efficiency. You’ve demo’d it to the developer in the next cubicle and she’s...
  • Blog Post: Real World XSS Vulnerabilities in ASP.NET Code

    RV here again... From couple of weeks we have been seeing some XSS vulnerabilities in asp.net code. Today I wanted to show you guys some real world examples ranging from property assignments, data binding and JavaScript building. For each example, I will offer both the vulnerability and mitigation which...
  • Blog Post: SQL Injection - Are Stored Procedures Really Safe?

    Vineet Batta here.... SQL Injection explained : SQL injection attack is the way to manipulate the SQL statement (insert malicious code) from applications to query or execute commands against the database. This can allow an attacker to not only steal data from your database, but also modify and delete...
  • Blog Post: Checklists and Mnemonics

    Dennis Groves here.... The most common list is the to-do list , and it is the one we are all most familiar with and so the real value of a checklist is often very misunderstood . Aviation and medicine make heavy use of them. Computer programs are basically a sequential list of operations to for the computer...
Page 1 of 2 (33 items) 12